A closer look at phishing attacks

Cyber fraud is lurking everywhere across the internet and one of the most effective tactics on victims is “phishing.” Phishing is a term for the use of disguised and misleading emails, text, and instant messages to trick email recipients into believing that they are receiving a message from a trusted source. By posing as a bank, employer, or government authority, the attackers steal personal information and data such as login credentials, Social Security, credit card details, etc.

Phishing attacks can seem innocuous on the surface. An attack might look like a simple email message from the recipient’s company asking them to click on the link or download an attachment. However, when the link is clicked, the user is taken to a fake website where they are asked to take some action, like entering their credentials. Often the “ask” is the download of an innocent looking file which may actually install spyware or malware on their computer.

History and prevalence

Phishing is not a new phenomenon. One of the oldest and most common types of cyberattack, it can be traced back to the 1990s. Over time, users may have become savvier, but phishing messages have become more sophisticated and authentic in presentation. According to Verizon’s Data Breach Report, almost one-third of all data breaches in 2019 were a result of phishing attacks. Ultimately, its proliferation is the result of human trust – something that can be a challenge to firewall.

Phishing attack intent

Most commonly, an attacker will replicate an email that will look like an authentic email from a trusted source. The more convincing the disguise, the more likely they are to succeed. In tandem, the attacker will set up website landing pages that mimic a website that the victim trusts.

The intent is to get recipients of their messages to do one of two things:

Surrender sensitive information

Your personal information is literally the key to riches for phishing criminals. In many cases, attackers simply want your money. How do they get it? They lure you to a false landing page that looks like something your bank may host. If you “sign in” to your bank account in this case, you are really just handing over your bank account credentials to the attacker. Once they have them, it’s game over. They can go directly to your real account and empty it immediately. Millions of such emails are sent annually to would-be victims.

Keep in mind, it not always just about money from private citizens. The same process is often used on the corporate level to acquire secure documents – ideas, financial documentation, legal documentation, product specifications, etc.

Download malware

Malware is all about taking control of the host’s computer for nefarious purposes. And Phishing is the preferred method for malware infections.

A typical malware injection scenario may resemble the following path: The Phishing attacker imitates a company’s HR department and asks the targeted recipient to download an important form or document, such as a job seeker’s resume. This attachment is typically a zip file or a Microsoft Word document with embedded malicious code. In most cases this will be ransomware, code that takes control of the victim’s computer in some debilitating fashion until the users pays the hackers to unlock it. According to a report, 93% of phishing attacks had ransomware attachments.

Types of phishing attacks

There are many types of phishing attacks, and they all have colorful names – but they are all dangerous. Some of the most common:

Spear phishing

Whereas most Phishing targets a wide range of victims, Spear phishing is focused on defrauding a specific individual. Metaphorically, instead of casting a net or dropping a hook to see who takes the bait, the attacker focuses the attack in a personalized way.

Often targeted victim information is gathered through social media sites such as Facebook and LinkedIn. With this specific personal information, the attacker uses spoof email addresses and sends messages that appear to be coming from a trusted source, such as a friend, family member, employer or a co-worker.

For example, a spear-phishing fraudster may target an employee working in the finance department and pretend to be the department’s manager requesting the employee quickly transfer a large sum of money to an account.

Whale phishing

Whale phishing, also known as whaling, is a type of spear phishing that targets high-value individuals, company board members or CEOs. These targets have authority within their organization as well as access to important data.

Being an executive doesn’t mean you are not vulnerable. Note that most board members are not full-time employees, so they often use their personal email addresses for official or business-related correspondences. Personal emails are more susceptible to phishing attacks because they may not provide the same protection offered by a corporate email system. While whaling is a more time-consuming and sophisticated activity than other cyberattacks, if successful, it can reap big rewards for hackers.

Clone phishing

Clone Phishing employs a higher degree of disguise as it uses the content of an actual, legitimate email that contained a link or an attachment and was previously delivered to the victims.

After the attackers create the clone email, they replace the link or attachment with a malicious version or source and send it using a spoofed email address, impersonating an original sender.

These clone phishing messages may claim to be an updated version of the original email or the company resending the original email.

Filter evasion

Here, cyber attackers use images instead of words to make these phishing messages harder to detect with anti-phishing filters. However, more sophisticated filters can identify and recover hidden text within a malicious image using optical character recognition (OCR).

Website forgery

Website forgery uses a JavaScript code to alter the website’s address bar to lead users to malicious websites. Attackers place an image of a legitimate URL over the fake website’s address bar.

Phishing attackers use potential flaws within trusted websites’ scripts against the victims. Such attacks are difficult for a common user to spot without a specialist’s help.

Covert redirect

Covert redirect is where a link appears to be legit but takes the victim to attackers’ website. Typically, victims get an error message during log-in and the site asks them to enter their username and password again.

This type of phishing attack may also redirect the victims to fake websites covertly using malicious browser extensions. Attentive users will notice the malicious URL will be slightly different from the trusted URL.

Voice phishing

Fake websites, fake messages, malicious links, and attachments are not the only phishing attacks plaguing us. Voice phishing uses fake caller IDs that appear legitimate. These calls will ask you to dial a number to discuss an issue related to your bank account. Once you dial the number, it will ask you to enter your card details, your account number and your PIN code to verify your identity. Once you do that, the phone disconnects, and the attackers have your details.

Tabnabbing

Tabnabbing is another technique that takes advantage of multiple open tabs in a victim’s browser. The technique is to open a fake web page silently on the already opened tab in a browser when the user tries to open a legitimate website. The user mistakenly falls for the fake page, considering it to be original, and end up handing out information to the hackers.

Protect yourself from phishing

The best way to protect yourself from phishing attacks is research. Google the terms above and, by looking at samples, familiarize yourself with the hallmarks of fraud, as well as how to verify that you are on a legitimate website.

Some quick tips:

  • Check website URLs for spelling mistakes, especially if the link is mentioned in an email asking for sensitive information.
  • Be cautious about the URL redirects. Links that send you to a different website than what you expected might be a phishing attack.
  • If you have any doubts that the email may not be from the original source, contact them to confirm if they have sent you any message whatsoever.
  • Do not post personal information, such as birthdays, home addresses, and phone numbers on social media. Always set your privacy settings to the highest level possible.

Be cautious

Phishing attacks are a common and ever-present threat. Keep your security tight and never share personal details over email, phone, or in a message. You never know when you are exposing yourself to cyber attackers out there.

How to spot a phishing email

Would a Company Send Me That?

We’ve all heard of a phishing email. If you haven’t heard of a phishing email, now is the time to familiarize yourself with this must-know threat lurking online. In this article, we’ll show you how to spot a phishing email and examples of common phishing emails.

What is Phishing?

Modern-day fraudsters attempting to obtain sensitive information from a person or organization by posing as another person or a company online is known as phishing. They might be after your user information, such as passwords or usernames, or credit card and banking information. Employers should also be concerned as fraudsters have been known to steal sensitive or damaging information from employees or gain control of an entire company’s software.

According to a report by Symantec, 96% of phishing scammers are focused on intelligence gathering.

Scammers are known to use the information gained through phishing for:

  • Identity theft
  • Intellectual property theft
  • Industrial or Government Espionage
  • Corporate Sabotage – ex. stealing patent secrets
  • A total takeover of a website or online controls
  • Stealing money

How Does Phishing Work?

We frequently receive emails from our banks, our work IT administrators, or a trusted social media site. The email might ask for details, to log in with a username and password, or simply to click a link. Phishing is when a scammer sends you one of these emails in an effort to steal your information or gain access to your network. The perpetrator is setting a trap for users by pretending to be an authority figure, a legal entity or a company you recognize.  

It’s a lot like fishing, where an angler casts bait on the hook in the river. Eventually, a fish falls for the trap and bites on the bait. Fraudsters lure you to what seems like a legit request from a trustworthy source and wait for you to click on it. 

Instead of ending up at the end of a fishing pole, phishing victims may find themselves in a damaging situation. The consequences of a phishing attack could be the installation of malware on your computer or mobile phone or your phone or computer being frozen due to ransomware. One of the worst outcomes is your personal and sensitive information being exposed to the fraudulent entity. 

The results of phishing can be very devastating, whether you are an individual or a company. It may enable the fraudulent party to steal your bank account credentials, credit card details, and other sensitive information such as your driver’s license and social security numbers. This could lead to unauthorized purchases, identity theft, and money stolen from your bank account. 

According to the Data Breach Investigation from Verizon, 70% of online espionage was due to Phishing.

All of this might seem scary and treacherous but once you know the signs of a phishing email, you will be able to protect yourself and your employees.

Types of Phishing Emails

There are various ways impersonators and fraudsters attempt to make phishing look like a request from a company or person you trust. There are three major types of phishing. 

Email Phishing

Like fishermen casting a wide net hoping to catch the most fish possible, email phishing is all about numbers.  

An attacker sends out a fraudulent email or a message to thousands of people. Even if a small percentage of people end up clicking a link or providing their user information, an online imposter could end up with a significant amount of money and information. 

Scammers go to extreme lengths to make their emails and messages look legit. It can be difficult to tell the difference between a real email and a phishing attempt unless you look closely. Fraudsters will use the same taglines, same logos, and even signatures to mimic the authentic organization. Even the links within the email appear to be from the company they are impersonating.

Did you know that over 7,700 companies get attacked by an email scam every month? According to research, approximately 56% of all the emails you receive are spam, which includes phishing and other email scams. 

Spear Phishing

Spear phishing is a more focused attack aimed towards a specific organization or a person.

It is probably the most sophisticated form of phishing, where the impersonator does a lot of research on their part to know about the company or an individual.

To target individuals, they may look at your online habits, shopping history, websites you visit frequently, and your social media. 

For a company phishing email, they may look into your websites, social media, employees, financial commitments, and even the company structure for useful information. The perpetrator will send out an email to the most relevant employee for a project. An example phishing email might look like an email sent to the project supervisor of a specific campaign.  

The email will appear as if it was sent from the organization; it will feature the company’s logo, images, the same font, and might even have a signature from a higher-up at the company. The email will request the project supervisor to click on the enclosed invoice, which is password-protected and can only be open if the accounts manager enters his credentials. The attacker will then use this information to gain full access to the company’s network for more sensitive information and financial gains. 

According to the Symantec Internet Security Report, 71.4% of targeted attacks used spear-phishing techniques. 

Whaling

Whaling is a phishing technique that takes it up a notch. In these cases, attackers target senior management or people in power.

The subject and content of these phishing emails will be more in-line with something only a senior member in a company’s hierarchy has an authority to deal with, for example, a legal notice threatening for a penalty, or a customer’s complaint. 

Other forms of Phishing

There are other known forms of phishing, such as website forgery, where impersonators go through the hassle of actually creating a duplicate website. The cloned website looks exactly like the original, except if you look closely, the website link will be slightly different from the original. For example, a bank clone website may have the address www.ebay.shopping.com.

Similarly, Covert Redirect is another method, where the phishing email may have a link that looks legit. However, once you click on it, it will take you to the attacker’s website.

Voice phishing is more linked to the mobile world. For example, you may receive an email or a message that appears to be from your bank asking you to call to resolve an urgent matter. Once you dial the number, they will ask you to enter your name and account number and use that information for nefarious purposes.

How do I Spot a Phishing Email?

It is of utmost importance that you know how to recognize the signs of a phishing email. This will prevent you from falling for a company phishing email or one targeting individuals.

Are you sure that the email you received from your bank is actually from your bank? Or is it just one of the myriads of phishing emails floating in the sea of the World Wide Web? It is time you learn some techniques on how to spot a phishing email. 

A Legit Email will Never Request Your Personal Information

Always remember no matter how professional or authentic an email may look, no legitimate organization will ask you to offer up your bank account number, credit card details, or social security number. If you receive an email that requests your account information, consider it a phishing email. This email will ask you to enter your credentials by either clicking on an attachment or a link. This alone is a big indicator that it is a phishing attempt. 

It is All in the Name

Legitimate business partners and companies such as your bank, eBay, PayPal, etc. will always address you by your name in an email such as Dear Mr. /Ms. (your name). Whereas, a phishing email is sent out to thousands, so it will use a generic salutation such as “Dear User” or “Dear Valued Customer,” etc. Some perpetrators might leave the salutation out altogether, hoping that you would not notice. Take a second to look closer and spot this common sign of a phishing email.

Domain Emails Should Match the Address

You may notice the familiar name of your bank account manager, or of a company colleague and you might do what the email asks you to. Remember to hover your mouse over the “from” address in your email. This will reveal the email address it is sent from. If it looks dodgy, then it actually is. 

A legitimate company will have the domain address that matches their website. For example, an email from PayPal will have [email protected], not [email protected]com. Get in the habit of checking the e-mail address.  

Watch for Spelling Mistakes

It might be easy to laugh at or overlook silly spelling or grammar mistakes, but these errors are the easiest way to weed out the phishing attempt sitting in your inbox. Reputable companies make the effort to appear professional and have pride in the content sent to their clientele. Therefore, legitimate communication from companies won’t feature spelling errors.

Be wary of emails featuring frequent mistakes. Hackers are hoping that you don’t take the time to read an email carefully and will miss a spelling error or two and follow a link or provide your information.

Clicks versus a Call

Phishing emails will often ask you to click a website link. A reputable company will provide many avenues for you to contact them or access your information. Hackers will force you to visit their fraudulent website. Visiting fraudulent websites or following links in phishing emails can lead to installing a virus or malware on your system.

If a company really wants to speak with you, they will request you call a secure phone number or provide the information in an email. 

Beware Unsolicited Attachments

Why would your bank or any other company send you a word file or a photo as an e-mail attachment? They wouldn’t and this is probably one of the most effective and harmful tools in a hacker’s arsenal. If you get an unsolicited email with an attachment, just report it or delete it without clicking on anything.

Confirm Legitimate URLs

Appearances can be deceiving, and phishing emails are no exception. If you get a phishing email with a seemingly legitimate link, chances are it will direct you somewhere fraudulent. Always question the legitimacy of the link in question. Don’t click the link. Hover your mouse over the link to reveal where the link intends to take you.  

If the link appearing in the URL seems fishy or does not match the website you’re expecting, it is a phishing attempt. A secure and authentic link will begin with https://.

According to APWG, over a quarter of a million phishing websites were reported in the 3rd Quarter of 2019 alone.

Ways to Protect Yourself

After seeing some example phishing emails and the tactics scammers use, you should feel prepared to spot a phishing email. It is essential to know how to safeguard yourself or your business against phishing. It’s important to be vigilant and to pay attention to the details.

If you get an email with a suspicious attachment or asking you to provide some personal information, think before you react. Use common sense and logic to identify a phishing email.

In addition to the knowledge and skills you have, you can increase your security with reliable internet tools and features. It’s important to choose what you use for your security wisely and use multiple tools if possible.  

2FA or Two-Factor Authentication

Two-factor authentication (2FA) is the most effective way to counter phishing scams. Many service providers are asking users to upgrade to 2FA. Apple and Google users may have already been prompted to upgrade to two-factor authentication.

Two-factor authentication is based on two separate pieces of information to verify the legitimacy of the user. The first piece of information will be your username and password, and the second can be a security question or a code sent to you separately.

Many banks apply this to avoid any unauthorized purchase or money theft. Once you login to the account using your login credentials, your bank will send either a text message or email a one-time passcode. This passcode needs to be entered into the webpage or app to authenticate that it is really you making a transaction. 

Even though this sounds like a hassle, it can protect you or your company in the face of a phishing attack.

If you or a your employee end up falling for the phishing attack and give out your login credentials, they will be safe because the attacker will not be able to get past the second security barrier because the additional log-in information will be sent to your email or phone, not the hacker’s. 

Make sure to opt for 2FA, or if you are a company, it in your best interest to implement this security feature into your current IT infrastructure. 

Password Management 

It’s in your organization’s interest to use a strict password management policy. Create a policy that passwords must contain a combination of various alphabets, numbers, and special characters and that passwords must change frequently. Old passwords should be not reused.

As an individual, you should practice the same strategy. Change your password with regular intervals and do not use older passwords. 

Security Software

Install security software on your computer and smartphone. Security software notifies you about a potentially harmful emails and attachments that may contain malware, ransomware, or a virus. 

Controlled Access

In environments like schools and colleges, a policy that states “Do Not Click on External Links” must be enforced. Not only does it save children from phishing scams but also from their exposure to other harmful material. 

What If I Have Already Clicked On a Phishing Link?

You may have been busy or distracted. You may have been in a hurry and clicked a malicious link by mistake. Do not panic; follow these steps to prevent further damage. 

  • Disconnect your device
  • Back up Your Files
  • Scan your laptop or mobile phone device for malware
  • Change your Passwords
  • Report the attempted phishing attack to your local law enforcement agency’s cybercrime division
  • And most importantly, be careful in the future. 

Phishing Projection: 2021 and Beyond

The level of sophistication in phishing attacks will increase in the future. As technology changes and evolves, human error will always be something for hackers to exploit as they create more sophisticated phishing attacks.

The more technologically advanced society becomes, the more connected society becomes. Phishing and other malicious attempts by hackers are not to be taken lightly. Stay vigilant and pay attention to what you get in your inbox to spot a phishing email.